package user

import (
	"context"
	"log"

	"gitea.local/admin/hspguard/internal/repository"
)

func String(s string) *string {
	return &s
}

type RolePermissions struct {
	Permissions []string `json:"permissions"`
	repository.Role
}

var (
	SYSTEM_SCOPE       string                  = "system"
	SYSTEM_PERMISSIONS []repository.Permission = []repository.Permission{
		{
			Name:        "log_into_guard",
			Description: String("Allow users to log into their accounts"),
		},
		{
			Name:        "register",
			Description: String("Allow users to register new accounts"),
		},
		{
			Name:        "edit_profile",
			Description: String("Allow users to edit their profiles"),
		},
		{
			Name:        "recover_credentials",
			Description: String("Allow users to recover their password/email"),
		},
		{
			Name:        "verify_profile",
			Description: String("Allow users to verify their accounts"),
		},
		{
			Name:        "access_home_services",
			Description: String("Allow users to access home services and tools"),
		},
		{
			Name:        "view_sessions",
			Description: String("Allow users to view their active sessions"),
		},
		{
			Name:        "revoke_sessions",
			Description: String("Allow users to revoke their active sessions"),
		},
		{
			Name:        "view_api_services",
			Description: String("Allow users to view API Services (for admin)"),
		},
		{
			Name:        "add_api_services",
			Description: String("Allow users to register new API Services (for admin)"),
		},
		{
			Name:        "edit_api_services",
			Description: String("Allow users to edit API Services (for admin)"),
		},
		{
			Name:        "remove_api_services",
			Description: String("Allow users to remove API Services (for admin)"),
		},
		{
			Name:        "view_users",
			Description: String("Allow users to view other users (for admin)"),
		},
		{
			Name:        "add_users",
			Description: String("Allow users to create new users (for admin)"),
		},
		// TODO: block, delete users
		{
			Name:        "view_user_sessions",
			Description: String("Allow users to view user sessions (for admin)"),
		},
		{
			Name:        "revoke_user_sessions",
			Description: String("Allow users to revoke user sessions (for admin)"),
		},
		{
			Name:        "view_service_sessions",
			Description: String("Allow users to view service sessions (for admin)"),
		},
		{
			Name:        "revoke_service_sessions",
			Description: String("Allow users to revoke service sessions (for admin)"),
		},
		{
			Name:        "view_permissions",
			Description: String("Allow users to view all permissions (for admin)"),
		},
		{
			Name:        "view_roles_groups",
			Description: String("Allow users to view roles & groups (for admin)"),
		},
	}
	SYSTEM_ROLES []RolePermissions = []RolePermissions{
		{
			Permissions: []string{
				"system_log_into_guard",
				"system_register",
				"system_edit_profile",
				"system_recover_credentials",
				"system_verify_profile",
				"system_access_home_services",
				"system_view_sessions",
				"system_revoke_sessions",
				"system_view_api_services",
				"system_add_api_services",
				"system_edit_api_services",
				"system_remove_api_services",
				"system_view_users",
				"system_add_users",
				"system_view_user_sessions",
				"system_revoke_user_sessions",
				"system_view_service_sessions",
				"system_revoke_service_sessions",
				"system_view_permissions",
				"system_view_roles_groups",
			},
			Role: repository.Role{
				Name:        "admin",
				Description: String("User with full power"),
			},
		},
		{
			Permissions: []string{
				"system_log_into_guard",
				"system_register",
				"system_edit_profile",
				"system_recover_credentials",
				"system_verify_profile",
				"system_access_home_services",
				"system_view_sessions",
				"system_revoke_sessions",
			},
			Role: repository.Role{
				Name:        "member",
				Description: String("User that is able to use home services"),
			},
		},
		{
			Permissions: []string{
				"system_log_into_guard",
				"system_register",
			},
			Role: repository.Role{
				Name:        "guest",
				Description: String("New user that needs approve for everything from admin"),
			},
		},
	}
)

func EnsureSystemPermissions(ctx context.Context, repo *repository.Queries) {
	for _, permission := range SYSTEM_PERMISSIONS {
		_, err := repo.FindPermission(ctx, repository.FindPermissionParams{
			Name:  permission.Name,
			Scope: SYSTEM_SCOPE,
		})
		if err != nil {
			log.Printf("INFO: Creating SYSTEM permission: '%s'\n", permission.Name)
			_, err = repo.CreatePermission(ctx, repository.CreatePermissionParams{
				Name:        permission.Name,
				Scope:       SYSTEM_SCOPE,
				Description: permission.Description,
			})
			if err != nil {
				log.Fatalf("ERR: Failed to create SYSTEM permission: '%s'\n", permission.Name)
			}
		}
	}

	for _, role := range SYSTEM_ROLES {
		var found repository.Role
		var err error

		found, err = repo.FindRole(ctx, repository.FindRoleParams{
			Scope: SYSTEM_SCOPE,
			Name:  role.Name,
		})
		if err != nil {
			log.Printf("INFO: Create new SYSTEM role '%s'\n", role.Name)
			found, err = repo.CreateRole(ctx, repository.CreateRoleParams{
				Name:        role.Name,
				Scope:       SYSTEM_SCOPE,
				Description: role.Description,
			})
			if err != nil {
				log.Fatalf("ERR: Failed to create SYSTEM role '%s': %v\n", role.Name, err)
			}
		}

		for _, perm := range role.Permissions {
			if err := repo.AssignRolePermission(ctx, repository.AssignRolePermissionParams{
				RoleID: found.ID,
				Key:    perm,
			}); err != nil {
				log.Fatalf("ERR: Failed to assign permission '%s' to SYSTEM role %s: %v\n", perm, found.Name, err)
			}
		}
	}
}